HIDL_DEBUG_TRANSACTION restricted to shell + su
As a precautionary measure.
Bug: 156096455
Test: add ::debug method to cuttlefish nnapi HAL, and turn off selinux,
since we don't care that HALs happen not to be able to read
fifo_file from certain domains, we are only interested in checking
that permissions are restricted based on group and taking advantage
of lshal to do this. Then, on an unrooted device:
$ adb shell lshal debug android.hardware.neuralnetworks@1.3::IDevice/nnapi-sample_quant
(proper output)
$ adb root
$ adb shell lshal debug android.hardware.neuralnetworks@1.3::IDevice/nnapi-sample_quant
(proper output)
$ adb shell su shell lshal debug android.hardware.neuralnetworks@1.3::IDevice/nnapi-sample_quant
(proper output)
$ adb shell su system lshal debug android.hardware.neuralnetworks@1.3::IDevice/nnapi-sample_quant
(failed transaction and error log, as expected)
Change-Id: If221c6180095700ac1fe676ac0472f3623b2c5e0
diff --git a/Binder.cpp b/Binder.cpp
index 9edd27b..0d8f2ca 100644
--- a/Binder.cpp
+++ b/Binder.cpp
@@ -16,15 +16,20 @@
#include <hwbinder/Binder.h>
-#include <atomic>
-#include <utils/misc.h>
+#include <android-base/macros.h>
+#include <cutils/android_filesystem_config.h>
#include <hwbinder/BpHwBinder.h>
#include <hwbinder/IInterface.h>
+#include <hwbinder/IPCThreadState.h>
#include <hwbinder/Parcel.h>
+#include <utils/Log.h>
+#include <utils/misc.h>
#include <linux/sched.h>
#include <stdio.h>
+#include <atomic>
+
namespace android {
namespace hardware {
@@ -110,6 +115,14 @@
{
data.setDataPosition(0);
+ if (UNLIKELY(code == HIDL_DEBUG_TRANSACTION)) {
+ uid_t uid = IPCThreadState::self()->getCallingUid();
+ if (uid != AID_SHELL && uid != AID_ROOT) {
+ ALOGE("Can only call IBase::debug from root or shell");
+ return PERMISSION_DENIED;
+ }
+ }
+
status_t err = NO_ERROR;
switch (code) {
default:
